logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-227w-wv4j-67h4 de.tum.in.ase:artemis-java-test-sandbox

Package

Manager: maven
Name: de.tum.in.ase:artemis-java-test-sandbox
Vulnerable Version: >=0 <1.8.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: N/A pctlN/A

Details

Class Loading Vulnerability in Artemis ### Impact This affects all Artemis users who test Java assignments. **Ares is not required.** Students code that gets automatically tested can run arbitrary code in the container, or arbitrary code on the machine of an assessor in case of manual correction. ### Patches The problem cannot be resolved easily in Ares itself. Use the Maven Enforcer Plugin as follows: ```xml <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-enforcer-plugin</artifactId> <version>3.0.0</version> <executions> <execution> <id>enforce-no-student-code-in-trusted-packages</id> <phase>process-classes</phase> <goals> <goal>enforce</goal> </goals> </execution> </executions> <configuration> <rules> <requireFilesDontExist> <files> <!-- ADD HERE THE RULES ARES TELLS YOU ARE MISSING --> </files> </requireFilesDontExist> </rules> </configuration> </plugin> ``` This fails the build if student classes reside in such packages that Ares trusts. Trusted packages added in Ares using `@AddTrustedPackage` should be added as well. ### For more information If you have any questions or comments about this advisory: * Open a discussion https://github.com/ls1intum/Ares/discussions * Open an issue in https://github.com/ls1intum/Ares/issues * Email us, see https://github.com/ls1intum/Ares/security/policy ### References See the assignment of Julius that passes the tests in TUM Artemis course: "Test - Praktikum: Grundlagen der Programmierung (Testkurs für Tutoren) - Security Tests" (if that still exists in 2022). Also see #15 for almost the same problem.

Metadata

Created: 2022-02-09T22:30:30Z
Modified: 2022-02-09T22:30:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-227w-wv4j-67h4/GHSA-227w-wv4j-67h4.json
CWE IDs: ["CWE-501", "CWE-653"]
Alternative ID: N/A
Finding: F004
Auto approve: 1